How to get BundleID from sourceAppAuditToken ?

I have gathered that I should use SecCodeCopyGuestWithAttributes with the flag

kSecGuestAttributeAudit.

However, I am unclear as to exactly how to do it:

- how can I convert a

kSecGuestAttributeAudit to a SecCSFlags ?

- how can I convert flow.sourceAppAuditToken to UnsafeMutablePointer<SecCode?> ?

- should I use nil for host ?

it was suggested to look at

<bsm/libbsm.h>

. However this seems to be Objective-C and deprecated ?

The libbsm API is neither in Objective-C nor deprecated. You can access it from Swift like you’d access any other C API:

• If the API is modularised, import that.

• If not, use a bridging header.

It turns out that libbsm is modularised, so you can just go

import Darwin.bsm

I have gathered that I should use

SecCodeCopyGuestWithAttributes

with the flag

kSecGuestAttributeAudit

.

Correct. However, you seem to be off in the weeds with regards calling that. Pasted in below is some code looks up the bundle ID based on the audit token.

IMPORTANT If you’re building a security product, basing security decisions on the bundle ID is unwise. While the bundle ID is sealed by the code signature, there’s nothing stopping folks from spoofing it. For example, anyone can build an app with a bundle ID of

com.apple.finder

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

func bundleIDForAuditToken(_ tokenData: Data) -> String? {

    // Get a code reference.

    var codeQ: SecCode? = nil
    var err = SecCodeCopyGuestWithAttributes(nil, [
        kSecGuestAttributeAudit: tokenData
    ] as NSDictionary, [], &codeQ)
    guard err == errSecSuccess else {
        return nil
    }
    let code = codeQ!

    // Convert that to a static code.

    var staticCodeQ: SecStaticCode? = nil
    err = SecCodeCopyStaticCode(code, [], &staticCodeQ)
    guard err == errSecSuccess else {
        return nil
    }
    let staticCode = staticCodeQ!

    // Get code signing information about that.

    var infoQ: CFDictionary? = nil
    err = SecCodeCopySigningInformation(staticCode, [], &infoQ)
    guard err == errSecSuccess else {
        return nil
    }
    let info = infoQ! as! [String:Any]

    // Extract the bundle ID from that.

    guard
        let plist = info[kSecCodeInfoPList as String] as? [String:Any],
        let bundleID = plist[kCFBundleIdentifierKey as String] as? String
    else {
        return nil
    }
    return bundleID
}

Hi Eskimo, that is right, it is modularized and not deprecated. I was misled by the fact that when I type "import Darwin" it appears with a red strikethrough, which I mistakenly interpreted as deprecated.

Thanks a lot for the code, I was indeed missing this. I was looking around for this info, but couldn't find the procedure you sent on "https://developer.apple.com/documentation/security/code_signing_services"

Is there another source of documentation or code examples that you would recommend ?

Thanks for the tip on using the code's designated identifier. I assume you mean

kSecCodeInfoIdentifier

Thanks a lot for your help!

Hey Eskimo,

the code works great except for one thing, it will add these errors to the log:

MacOS error: -25337
CSSM Exception: 3 unknown error 3=3
CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR

Also, when I try to run SecCodeCheckValidity, it will error out. Maybe it's related (though I get the errors above even when I do not call this function).

Any idea what the issue could be? Maybe I am missing some entitlements in my app, to validate code?

Thanks for the tip on using the code's designated identifier.

Whoah! I wrote completely the wrong thing there. I meant to say designated requirement.

I assume you mean

kSecCodeInfoIdentifier

.

No, sorry, my typo has mislead you )-: You should be looking to

kSecCodeInfoDesignatedRequirement

SecRequirement

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"